The ATO Challenge: Blocking Hijacked Accounts at the Point of Takeover

To prevent downstream damage, account takeover must be dealt with proactively, at the account level.

Fraud losses have reached staggering levels, and while there continue to be minor fluctuations year-over-year, the overall situation is dire: in 2018 alone, fraud losses hit $14.7 billion. Many different attack types contribute to these numbers, but Account Takeover (ATO) is uniquely devastating, accounting for $4 billion of those 2018 losses. In the e-commerce sector, nearly 40% of all fraud losses in 2018 were due to identity theft and synthetic identities, and this represents almost a 100% increase over the preceding year.

Credential Stuffing

Account compromise come in many forms, with one of the most common being credential stuffing. Given how often data is exposed in breaches, it’s not surprising that fraudsters are using all that data to try and determine credential validity through brute force attacks. According to Ponemon Institute’s The Cost of Credential Stuffing Report, companies experience 12.7 credential stuffing attacks each month, with more than 1,200 user accounts being typically targeted in each credential stuffing attack. Approximately 12.4 percent of these attempts are successful.

The Mobile Problem

As mobile phones become an increasingly common part of our identity (e.g., phone numbers used as logins, phones as the primary factor for texts, voice, or other types of multi-factor authentication), fraudsters have also shifted their focus to more aggressively target mobile accounts. Mobile phone account takeovers rose nearly 180% from 2017 to 2018, resulting in nearly 700k ATO incidents. Hijacking a phone number means that the fraudster not only controls all online accounts tied to the number but can also intercept SMS messages — a preferred method for verifying financial account logins.

Blocking Bad Actors to Protect Good Customers

As wretched as these numbers sound, they only paint a portion of the picture when it comes to addressing the challenge of ATO attacks. Not only do businesses have to defend against the bad actors, but they also have to simultaneously protect their good customers. If a good customer’s account gets hijacked, they need to have confidence that they will be protected before any damage can occur. So it’s not enough to rely on a fraud solution that addresses only the end action — the actual theft of assets. Businesses have to focus on the good users as well and address their account issues before the next crime occurs.

Account Level vs. Transaction Level

This is easier said than done. It requires proactive detection. You have to spot potential attacks and stop them before they can launch. You have to be able to identify incubating accounts, recognize what they’re being primed for, and neutralize them before they can be harnessed for use in a major coordinated attack. Too many existing solutions address fraud at the transaction level. However, with ATO, that’s already too late. Successful ATO prevention necessitates prevention at the account level — you need to know the moment an account gets compromised, so you can prevent damage, and preserve the user’s safe and secure experience.

Prevention, Not Detection

Yinglian Xie, DataVisor Co-Founder and CEO, spoke to the critical importance of proactive action in a recent report from The Sunday Times focused on “The Future of Fintech”:

“You have to identify potential attacks in the very early stages and stop them before they can launch. To do this, you must be able to identify incubating accounts, recognize what they’re being primed for and neutralize them before they can be harnessed for use in a major coordinated attack.”

Yinglian goes on to note that “the true goal of any fraud management strategy isn’t actually detection, it’s prevention.” When it comes to the challenge of account takeover, this couldn’t be more accurate. With every second after an account gets hijacked, the risk of downstream damage goes up. Fraudsters take over account to use them for malicious purposes. The more time we give them, the more damage they’ll cause. This is why it’s imperative that we block compromised accounts at the point of takeover.

~

Many of these findings first appeared in DataVisor’s Q2 2019 Fraud Index Report.